The FTC Health Breach Notification Rule was enacted 10 years ago to protect the privacy and security of consumer health data not covered by HIPAA, but it was never enforced. A policy decision enacted on Sept. 15 will change that.

X-Force researchers also found cryptominers and ransomware account for more than 50% of detected system compromises.

LifeLong Medical is just now notifying 115,448 patients that their data was compromised during a ransomware attack against one of its vendors, Netgain. However, the initial breach reports were first released more than six months ago, putting the notice far outside the 60-day HIPAA requirement.

Patients impacted by data breaches at Sturdy Memorial Hospital and Dupage Medical filed separate lawsuits alleging claims that center around inadequate security measures. With the Supreme Court defining actual harm in a June decision, it’s unclear how the cases will proceed.

The Jenkins project reported Friday that one of its servers was successfully attacked by hackers using a recently warned about Confluence vulnerability to install a cryptocurrency miner.

Representatives from critical infrastructure hammered at two key differences between the House and Senate versions of the bill: the amount of time that entities would have to report a cyber incident, and the level of certainly that would need to be present before doing so.

A roundup of notable health care data breaches this week is led by a cyberattack and network outage at DuPage Medical Group that compromised the data of 600,000 patients. Beaumont Health, San Andreas Regional, and other providers reported incidents this week, as well.

Unlike the majority of cloud breaches, this one was not caused by customer misconfiguration, but rather an oversight by the provider – Microsoft Azure. Said one CISO, a fundamental shift in how software is developed requires more "accountability for configuring and automating the build process to enhance resiliency for the entire attack surface."